CVE-2016-9466 — Cross-site Scripting in Server

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.5%

top 35.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Owncloud

Timeline

PublishedMar 28

Latest updateMay 13

Description

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server10.0.0 — 10.0.1

▶NVDowncloud/owncloud9.0.0 — 9.0.6+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-m5x2-59hv-phpr: Nextcloud Server before 10↗2022-05-13

▶

CVEList

CVE-2016-9466: Nextcloud Server before 10↗2017-03-28

▶